af4bd528b68ac052bb8d00f76e0490f636bbcfd8bafeb02e0ca9cf6a5568ea42

Analysis

max time kernel
146s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1412d60920ca86f26dfdbedda2e3786f_JaffaCakes118.exe
Size

472KB
MD5

1412d60920ca86f26dfdbedda2e3786f
SHA1

44843fc5affe697b65fc9431a6f7d4d0d28ced91
SHA256

af4bd528b68ac052bb8d00f76e0490f636bbcfd8bafeb02e0ca9cf6a5568ea42
SHA512

fc7151cabfca31f852e21a4db1368f0b1f8135c721bb5cb3117b10b6105d63f657082c8c3c9c7ea752d6c75dd6c23b99a9b5ff8b461a059063db2b2ba448280a
SSDEEP

6144:Bylu6uz5Y49Bqi5qZ366VuUxY9tRElNCgeVTiARduu0npl:0lpMjof3B8UxYbwCXVTRduJ

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+kjxek.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: * http://t54ndnku456ngkwsudqer.wallymac.com/2E467B70BD69ED24 * http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/2E467B70BD69ED24 * http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/2E467B70BD69ED24 If for some reasons the addresses are not available, follow these steps 1 Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 After a successful installation, run the browser 3 Type in the address bar: xlowfznrg4wf7dli.onion/2E467B70BD69ED24 4 Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://t54ndnku456ngkwsudqer.wallymac.com/2E467B70BD69ED24 http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/2E467B70BD69ED24 http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/2E467B70BD69ED24 Your personal pages TOR Browser xlowfznrg4wf7dli. onion/2E467B70BD69ED24

URLs

http://t54ndnku456ngkwsudqer.wallymac.com/2E467B70BD69ED24

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/2E467B70BD69ED24

http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/2E467B70BD69ED24

http://xlowfznrg4wf7dli.onion/2E467B70BD69ED24

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (378) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2536	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe

Executes dropped EXE 1 IoCs

pid	Process
2784	dvajtoweqsyj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynergny = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START C:\\Windows\\dvajtoweqsyj.exe"	dvajtoweqsyj.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Reference Assemblies\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\es-ES\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\VideoLAN\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mousedown.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\_ReCoVeRy_+kjxek.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_ReCoVeRy_+kjxek.html	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_ReCoVeRy_+kjxek.txt	dvajtoweqsyj.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	dvajtoweqsyj.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\dvajtoweqsyj.exe	1412d60920ca86f26dfdbedda2e3786f_JaffaCakes118.exe
File opened for modification	C:\Windows\dvajtoweqsyj.exe	1412d60920ca86f26dfdbedda2e3786f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5ED59241-0A49-11EF-A7EB-E60682B688C9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000d5636215f1dcf4f5916ba7f5a914d090184cac6bc8b274605963dac7b0c5fc1e000000000e8000000002000020000000294df20ee47af202e23948699171094a2dfc1f757473d8a90167a5e096d78d062000000047a5514761afb800dd70b4bf2e5fcf269690f5a3355cbb74e111da44904fffa240000000ddaee33646a097d66b0d9f3023df11557cd00b5d4b892566bdd1ba168638a33d5516876534f29cccc54936bb4e8e7e79a5772b269bfd2bf93835c3dd0ceeac8b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5025ea33569eda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b0000000002000000000010660000000100002000000076cfcffc3f59e4102ff6d213f18ac967e501c31a419c56f311d9dce14fc842e7000000000e80000000020000200000007a0b00c8e147f18caa72b6e2d065551616c65cb66b55535517d1c35d6ddef3f790000000db24afac26486e63fbc51481a1b93352ef158d7192349044d711a64405d48c3729936c7f335044dac13c0baf2e850f9d893e43c3b52fa592a97adfc23378a1f05eb74c0a067c10cc68df42e67a5bea286f642b10142042fc09bb40ada44322cdc0752cf469e45d2feb3d34e66e1129a73253cfce17f6e00138ea0b52d5ccbb3d8e00377347a66187b231d2d6c9c3b86f400000009efcfc0fb6e00a65ee22f1b435cab2becccece6acb925c525f4f399c8b431913cdf07db15f4c82b70723667bf310a6d68882698d81f4da5387a92aa15974bae7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
672	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe
2784	dvajtoweqsyj.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1400	1412d60920ca86f26dfdbedda2e3786f_JaffaCakes118.exe
Token: SeDebugPrivilege	2784	dvajtoweqsyj.exe
Token: SeIncreaseQuotaPrivilege	2360	WMIC.exe
Token: SeSecurityPrivilege	2360	WMIC.exe
Token: SeTakeOwnershipPrivilege	2360	WMIC.exe
Token: SeLoadDriverPrivilege	2360	WMIC.exe
Token: SeSystemProfilePrivilege	2360	WMIC.exe
Token: SeSystemtimePrivilege	2360	WMIC.exe
Token: SeProfSingleProcessPrivilege	2360	WMIC.exe
Token: SeIncBasePriorityPrivilege	2360	WMIC.exe
Token: SeCreatePagefilePrivilege	2360	WMIC.exe
Token: SeBackupPrivilege	2360	WMIC.exe
Token: SeRestorePrivilege	2360	WMIC.exe
Token: SeShutdownPrivilege	2360	WMIC.exe
Token: SeDebugPrivilege	2360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2360	WMIC.exe
Token: SeRemoteShutdownPrivilege	2360	WMIC.exe
Token: SeUndockPrivilege	2360	WMIC.exe
Token: SeManageVolumePrivilege	2360	WMIC.exe
Token: 33	2360	WMIC.exe
Token: 34	2360	WMIC.exe
Token: 35	2360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2360	WMIC.exe
Token: SeSecurityPrivilege	2360	WMIC.exe
Token: SeTakeOwnershipPrivilege	2360	WMIC.exe
Token: SeLoadDriverPrivilege	2360	WMIC.exe
Token: SeSystemProfilePrivilege	2360	WMIC.exe
Token: SeSystemtimePrivilege	2360	WMIC.exe
Token: SeProfSingleProcessPrivilege	2360	WMIC.exe
Token: SeIncBasePriorityPrivilege	2360	WMIC.exe
Token: SeCreatePagefilePrivilege	2360	WMIC.exe
Token: SeBackupPrivilege	2360	WMIC.exe
Token: SeRestorePrivilege	2360	WMIC.exe
Token: SeShutdownPrivilege	2360	WMIC.exe
Token: SeDebugPrivilege	2360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2360	WMIC.exe
Token: SeRemoteShutdownPrivilege	2360	WMIC.exe
Token: SeUndockPrivilege	2360	WMIC.exe
Token: SeManageVolumePrivilege	2360	WMIC.exe
Token: 33	2360	WMIC.exe
Token: 34	2360	WMIC.exe
Token: 35	2360	WMIC.exe
Token: SeBackupPrivilege	2796	vssvc.exe
Token: SeRestorePrivilege	2796	vssvc.exe
Token: SeAuditPrivilege	2796	vssvc.exe
Token: SeIncreaseQuotaPrivilege	628	WMIC.exe
Token: SeSecurityPrivilege	628	WMIC.exe
Token: SeTakeOwnershipPrivilege	628	WMIC.exe
Token: SeLoadDriverPrivilege	628	WMIC.exe
Token: SeSystemProfilePrivilege	628	WMIC.exe
Token: SeSystemtimePrivilege	628	WMIC.exe
Token: SeProfSingleProcessPrivilege	628	WMIC.exe
Token: SeIncBasePriorityPrivilege	628	WMIC.exe
Token: SeCreatePagefilePrivilege	628	WMIC.exe
Token: SeBackupPrivilege	628	WMIC.exe
Token: SeRestorePrivilege	628	WMIC.exe
Token: SeShutdownPrivilege	628	WMIC.exe
Token: SeDebugPrivilege	628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	628	WMIC.exe
Token: SeRemoteShutdownPrivilege	628	WMIC.exe
Token: SeUndockPrivilege	628	WMIC.exe
Token: SeManageVolumePrivilege	628	WMIC.exe
Token: 33	628	WMIC.exe
Token: 34	628	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
584	iexplore.exe
1908	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
584	iexplore.exe
584	iexplore.exe
2336	IEXPLORE.EXE
2336	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2784	1400	1412d60920ca86f26dfdbedda2e3786f_JaffaCakes118.exe	29
PID 1400 wrote to memory of 2784	1400	1412d60920ca86f26dfdbedda2e3786f_JaffaCakes118.exe	29
PID 1400 wrote to memory of 2784	1400	1412d60920ca86f26dfdbedda2e3786f_JaffaCakes118.exe	29
PID 1400 wrote to memory of 2784	1400	1412d60920ca86f26dfdbedda2e3786f_JaffaCakes118.exe	29
PID 1400 wrote to memory of 2536	1400	1412d60920ca86f26dfdbedda2e3786f_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2536	1400	1412d60920ca86f26dfdbedda2e3786f_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2536	1400	1412d60920ca86f26dfdbedda2e3786f_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2536	1400	1412d60920ca86f26dfdbedda2e3786f_JaffaCakes118.exe	31
PID 2784 wrote to memory of 2360	2784	dvajtoweqsyj.exe	33
PID 2784 wrote to memory of 2360	2784	dvajtoweqsyj.exe	33
PID 2784 wrote to memory of 2360	2784	dvajtoweqsyj.exe	33
PID 2784 wrote to memory of 2360	2784	dvajtoweqsyj.exe	33
PID 2784 wrote to memory of 672	2784	dvajtoweqsyj.exe	43
PID 2784 wrote to memory of 672	2784	dvajtoweqsyj.exe	43
PID 2784 wrote to memory of 672	2784	dvajtoweqsyj.exe	43
PID 2784 wrote to memory of 672	2784	dvajtoweqsyj.exe	43
PID 2784 wrote to memory of 584	2784	dvajtoweqsyj.exe	44
PID 2784 wrote to memory of 584	2784	dvajtoweqsyj.exe	44
PID 2784 wrote to memory of 584	2784	dvajtoweqsyj.exe	44
PID 2784 wrote to memory of 584	2784	dvajtoweqsyj.exe	44
PID 584 wrote to memory of 2336	584	iexplore.exe	46
PID 584 wrote to memory of 2336	584	iexplore.exe	46
PID 584 wrote to memory of 2336	584	iexplore.exe	46
PID 584 wrote to memory of 2336	584	iexplore.exe	46
PID 2784 wrote to memory of 628	2784	dvajtoweqsyj.exe	47
PID 2784 wrote to memory of 628	2784	dvajtoweqsyj.exe	47
PID 2784 wrote to memory of 628	2784	dvajtoweqsyj.exe	47
PID 2784 wrote to memory of 628	2784	dvajtoweqsyj.exe	47
PID 2784 wrote to memory of 1300	2784	dvajtoweqsyj.exe	50
PID 2784 wrote to memory of 1300	2784	dvajtoweqsyj.exe	50
PID 2784 wrote to memory of 1300	2784	dvajtoweqsyj.exe	50
PID 2784 wrote to memory of 1300	2784	dvajtoweqsyj.exe	50

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dvajtoweqsyj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	dvajtoweqsyj.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1412d60920ca86f26dfdbedda2e3786f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1412d60920ca86f26dfdbedda2e3786f_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\dvajtoweqsyj.exe
  C:\Windows\dvajtoweqsyj.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2784
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:672
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2336
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DVAJTO~1.EXE
    3⤵
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1412D6~1.EXE
  2⤵
  - Deletes itself
  PID:2536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+kjxek.html

Filesize
10KB

MD5
230146f1d5ba90d1ca9e56a640b26dd5

SHA1
eebf70f985241365b8e29b88f9e8861aff2654f1

SHA256
f74ac70bef31b068b1b19bc3fa143eb0a292fde9348d139ffc70b96469f23130

SHA512
1b49be7a2fc41b6bf91edba0d2b57ae2472daa3ccad852f80608e158eee05d7ce5bf4dfff4dc4da812763028c65e9dd766ed13be89e72de27c762b02ffa2b91f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+kjxek.png

Filesize
64KB

MD5
ac73c5ad972f6e0e6c0f91a9325e7d93

SHA1
2cacd060976e0e027aa16a09feabe972d917990c

SHA256
cc12033a8301753dc0b5e166b05cff552a94858df95d65948d0cf226b17a9524

SHA512
9d0bac0ac48ec4c373033f0f519ffc273cde5670afc3a17ca604ade160d528a944ae4e0119c10b0d72bb5489ba6566711b85dcef3af37eff01c8e28f85b8a4c8

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+kjxek.txt

Filesize
1KB

MD5
1b14038a1e38af926836bd11332306f1

SHA1
7fa922becb919432a3a8d3102f7e10d391f14275

SHA256
25c5f23fc7d2cf82864494875499ceff57530f40a8d5f047f66d2ca8979fdcc8

SHA512
5df455ced426fb19c5d9dcca30ec1cedfafe4188d4019f46cc763e33bd410b5c8f0343939883b0b1424d56e7a900558e8a236abd094410f83f7554b700b16940

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
07b1c1ab13cdeac386a150e83bff4e0a

SHA1
1b6a48f6e5b53c15e6c20a23f03a17c9e7047428

SHA256
8af5f2748bb430d28fa6279e670c28765b5e67623b6182bceda150427c49167a

SHA512
517f22f571923eea61a14eb81cd4c0a422da8f7e18560e49ef889a2b15ecfeb1922fe5696d73eb4f396a0cae2de8a89dbd7c905c1c1ae87f38f764b4fb342861

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
3cb7825945b0045a08624ead0dafa46e

SHA1
54a10eccc16b0375938478495a7aef0d8744aa00

SHA256
57c1dd431fd28458f414aa9b02ee0c9b820a44be7b2e7d6c8ac1da8769e49b73

SHA512
2c77d34a1c3b5a190659caeef076fcdc9c8eeb2d8649752b85735fff1aa03f0b918b39b64e4abf3b675a24f09deb6e8f4ee48e046447c802fbc8aa63edd86b79

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
d09d2d07fcbaa060caaa78dddc673549

SHA1
dd9f498e96e63bac59b415991001678de19e3dbf

SHA256
ce2166565df8da3161ec3320e11c2e291035c58d145358b27d279567043ed1ac

SHA512
2c48d73fdaff4b06d6b28ec1e7325abea3cdf9cc25230ef590e8d415003d93c5993e1769baae145854b824c34a4f7ac6d48843dd59f82a1916b5f929fbd9cc8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8721140c21408593ca58a94b6618eb97

SHA1
b8719984923fbdacb83a1863c0c12f1283730870

SHA256
6b85e3cffcb5f5266b72e94e2a804602248a9f6cbdab467199fab4f0722c943a

SHA512
325d91bd2f7ab8d245ebd856e6edea7723a6637cd4f8635e42725499989e6ba0ad3b2a58c1a1e9c2d40e26d7116eb8f58157fb0cb94994cc997abe0605799136

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
adbbac56f7f2f498fdf2cdf418ad01a5

SHA1
bd608bf4160594d7aa90f5375dcfe4361cf1dd91

SHA256
6a1824a324ce8d13b947fd40ed90b9da43faecc6a70a16c37486dbf2f096eb49

SHA512
2d0e019af785f08a0bb11176b0a2ce09b501ce02eefea81402766002fc649a8e03db82e52bff4961a21816732e0d2d36c2ad17667ec2d7a5b96d4e796313f525

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bee971b2f4fc99524844cea577a3a83c

SHA1
6bb2fccae9ac74086514232059a9fd9502647f26

SHA256
acfb73c49f469f919c2851e484891bc664218baef9a12ace9d031a656b47be69

SHA512
ad7f22a360a5dc5421c9d0e8e0a6df7fefab2f618c42d303cd5ff5024c4f0907722424a712e30cda05d097ac5b6e6daca22a35e043c52795819559fd47a66cd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
002d294893b30d9e48b6dff625569313

SHA1
e1156115e932e29c080bdffa07179b69e717f68e

SHA256
0d5f88b67d5d61452b937336caed2f7758a430393507b6507d4b3e11cdcaba8d

SHA512
23bd53652611f14b56e91bd7c619e56e3bc8b4fca78035e2877a7bd5aa768720f67e6803d2a2240682e2c9f38b43e033ff1c1aef6c510e53196b384e9b7b53bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f76e77f8636a7d820960f7817e34486

SHA1
d6addbc1d801944aa75d47e788de40da15674c3d

SHA256
1c568c451dc742f15ecf3108399a3f07c6d479c12fe39bbfd2375ba4aefeacfc

SHA512
31d54177c222c3cb1a51ecd7ef350def80b41f47842637e7f11a9326299bc477e9cb98e5700deaa31459d8c8c533660d4d4f140f093f29904d75d7d51f828bd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b41ab1f20271671d661f080b5c34c572

SHA1
2fe99fdcb63f550ff0686f74a8fef170b995d59c

SHA256
9ec7e66904cb77542b650f181a1340f088a4208e3939235623d797c9256228f5

SHA512
5a25301a4d82c34bc07a9eb4920ca1628926d7bac7a7c91755550c22563821cc461fb51e7ac9e0f0e1c3d929d79aa7ed3f5157532e23026a2a919fd94f400927

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1eb9194e205e3945c7fde38631896beb

SHA1
8795269f4af4cbe720ce0413273d155836fdc520

SHA256
41ba3f2fc184a1f71efbbfa1ffe3b64f07a6fb0e04d172f4928104b6c3327472

SHA512
d7c519b14ea6f2530926557a1d998dc877edfb687fad27ec7a66b3143dd4f4252be3dd1a47207ffde41e8896b8544d1c44e0f2be9923fc07f55efcc463ba08ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3853fc9f72d95ef0bc9b691ecfea9c11

SHA1
000ca684dcbbd7d68f26f50e0d9c85d792365364

SHA256
027c27313d3f4d3bc03e3034002806287c4a9fd6185faa17584180fbc2add6ca

SHA512
59a2f942721daaba9a3bc0434f9f31adbd1e7ef33bed9ebde9e6d5815a7ac88c7b1cb930d4df3debb77e0e57cca93a8046e64a10bb2a848a474f98f0ea419a82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2aa1d2dcaaac9ce80c518a6cacaceabb

SHA1
e0f06ac7f94071657dd6a75b1316c17b883e57f0

SHA256
6a7cf4c060aa22352c91dd54ddbd18ea9fb64f692fba17d8ae86e17f9ecda536

SHA512
3efde57a15fff4d47a290fd42f00bb76eb7688b82b4c8b402b6aab8692be5c758a89b5c0cb408f5c74f2a88118aa753cf5de1ffb759938efbc1d9475668d00d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b58c955cafc33f753ce787753ee76f81

SHA1
b0d70c220ebff54a902f5cf2777270b57d2025d3

SHA256
a24112bee124a0d2b4327ad4faa584cb31f280d789903477961728ba0a44d81a

SHA512
36cb305e6d67651100291c0e1498124649bbd0555273e57b77dfde43bd3694bffb96fa8df799858861a10f9b83fbfeebc02247855c27c9100b79d78114f7a7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9F91.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\dvajtoweqsyj.exe

Filesize
472KB

MD5
1412d60920ca86f26dfdbedda2e3786f

SHA1
44843fc5affe697b65fc9431a6f7d4d0d28ced91

SHA256
af4bd528b68ac052bb8d00f76e0490f636bbcfd8bafeb02e0ca9cf6a5568ea42

SHA512
fc7151cabfca31f852e21a4db1368f0b1f8135c721bb5cb3117b10b6105d63f657082c8c3c9c7ea752d6c75dd6c23b99a9b5ff8b461a059063db2b2ba448280a

Download Submit
memory/1400-12-0x00000000004D0000-0x0000000000556000-memory.dmp

Filesize
536KB

Download
memory/1400-1-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1400-0-0x00000000004D0000-0x0000000000556000-memory.dmp

Filesize
536KB

Download
memory/1400-11-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1908-5845-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2784-764-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2784-5331-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2784-5830-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2784-5844-0x0000000001F80000-0x0000000001F82000-memory.dmp

Filesize
8KB

Download
memory/2784-4593-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2784-4042-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2784-3146-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2784-2099-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2784-1326-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2784-995-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2784-16-0x0000000000280000-0x0000000000306000-memory.dmp

Filesize
536KB

Download
memory/2784-763-0x0000000000280000-0x0000000000306000-memory.dmp

Filesize
536KB

Download
memory/2784-614-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2784-227-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2784-13-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2784-6282-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download